Cheap smart plugs are a major cybersecurity vulnerability and could easily be used by criminals to break into a person’s devices, or even home, experts are saying.
In a blog post, security firm A&O IT Group detailed its security analysis of two cheap and widely available smart plugs - the Sonoff S26 and the Ener-J WiFi.
These smart plugs, which can reportedly easily be obtained on Amazon, eBay and Aliexpress for as little as $10, can be used to obtain login credentials to the target’s WiFi network. This was made possible due to the fact that these devices communicate with the router via port 80, sending unencrypted HTTP traffic, as well as due to weak factory passwords.
- Here’s our list of the best endpoint protection software right now
- We’ve built a list of the best firewalls on the market
- Check out our list of the best malware removal software available
Once the attackers obtain WiFi credentials, they’re able to connect to the target network and from there do all kinds of nasties, from receiving video and audio from laptops, controlling vulnerable smart devices, downloading sensitive data or even monitoring traffic from other devices.
They could also use the WiFi to download illegal material from the internet, or launch attacks on other users’ devices, with virtually no chance of being caught.
Setting up a guest SSID
This becomes even more concerning if the victim has things like smart door locks or video surveillance on the same network. In that scenario, an attacker would even know when the residents are out and about, and could even be able to break into the premises.
A&O IT Group says it has notified both Sonoff and Ener-J of the discovered vulnerabilities but is yet to hear back from either manufacturer.
To mitigate the issue, experts from CNX Software, are saying, the quickest way is to set up a guest SSID for the IoT gadgets, so that other important devices don’t share the same network.
- Here's our rundown of the best antivirus solutions out there
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.